Zeus returns in a new form of banking trojan

Cyber villains do not cease finding exquisite techniques to lure users into traps. It seems that ordinary malvertising strategies and the use of exploit kits no longer satisfy them. The greed for money inspires felons to develop more cunning malware penetration techniques. And the recent one is indeed worth applause.

Felons carefully injected specific keywords in legitimate or hacked sites. They most likely used several bots to boost Google SERP (Search Engine Results Pages) ranking of their sites.[1] When users entered one of them in their browser, they risked getting redirected at the very embrace of Zeus Panda banking trojan[2]. Here are a couple of keywords[3]:

They suggest a wide range of this virus campaign, specifically, banking trojan, campaign. It targets Swedish, Indian users as well as the Arabian country region. Some of the keywords are quite universal which only makes the campaign more menacing.

Executing via macros

When users type in the search results, they are directed through a series of redirect pages, when eventually they are landed to the site with hidden JavaScript code which then downloads a corrupted .doc file.

At this stage, Zeus virus operates similarly to ransomware. If macros are disabled by default, the document inquires to enable it to for a user to see the content. If enabled, the malware executable under the name of the obodok.exe file is downloaded and placed in %Temp% folder.

Deceptive veneer and self-destruction

The malware is indeed well programmed as it even has certain “immunity” to detection. It checks for popular sandboxing environments. In case, it finds any of the included apps, it self-destructs and leaves a batch file. The file in %Temp% folder is deleted as well. Later on, the malware continues performing surveillance and executes the removal of its source file.

Besides, the malware seems to contain certain exclusions. In case it corrupts a real system and detects Russian, Ukrainian, Kazak, or Belarussian language, it eliminates itself.

Ways to escape the malware

Luckily, according to VirusTotal[4], this new version of Zeus virus[5] is already detectable by the majority of anti-virus utilities. At the moment, updating your security software is the only way to reduce the risk of encountering this virtual menace. Users should also be careful what they click on and download from the Internet. Mobile, especially Android, users should install a couple of different type malware prevention and elimination tools as they are highly vulnerable to this banking trojan.

About the author

Julie Splinters
- Malware removal specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.